Pick n Pay exposed delivery customer data online

Hanno Labuschagne

Hanno Labuschagne

Journalist
Staff member
Joined
Sep 2, 2019
Messages
6,447
Reaction score
4,723
Pick n Pay exposed delivery customer data online

Several Pick n Pay customers who used the company's delivery service have had their data exposed online, a tip from a MyBroadband reader has revealed.

Customer delivery information for Pick n Pay's online shopping service was available on a tracking website for courier Dawn Wing to anyone on the Internet who knew where to look.

The site exposed people's names and addresses, and included photos of their orders taken by couriers to prove that they had delivered the items.
 
I've also seen this with another company who used a courier service. Could see all of their clients deliveries schedules. This was fixed the following day. Wonder how many people noticed.
 
That kind of stupid requires criminal charges.
They made no attempt to protect and keep the data private.
 
Shadowchaser1 said:
So is data breeches a common thing in SA these days? Just asking.
Click to expand...
Not just SA - all over the world. It is a serious issue, and in many cases not the fault of the breached company. Blaming the company in some cases would be like blaming the bank for an armed robbery or cash in transit heist.

In this particular case it was a rookie error - how many more times are developers going to make this same schoolboy error.
 
Dawn wing is honestly the worst courier company I have ever come across. Just having a look at their google maps review, will tell you what most think of them.

I too had a package delivered by them, after a few attempts. Pathetic. They send a miss call, and if you dont call them back, you can forget about your package. Their customer services is non-existant.

I can honestly say, I was laughing when I saw this.
 
mpdjhb said:
Not just SA - all over the world. It is a serious issue, and in many cases not the fault of the breached company. Blaming the company in some cases would be like blaming the bank for an armed robbery or cash in transit heist.

In this particular case it was a rookie error - how many more times are developers going to make this same schoolboy error.
Click to expand...

Simple answer, until there are serious consequences to a company for allowing these sorts of school boy errors out into the wild.

And I say this knowing that its almost impossible to catch every single school boy error that developers will make as systems get more and more complicated, but until there are actual tangible consequences for a data breach of this nature nothing will change.
 
mpdjhb said:
Not just SA - all over the world. It is a serious issue, and in many cases not the fault of the breached company. Blaming the company in some cases would be like blaming the bank for an armed robbery or cash in transit heist.

In this particular case it was a rookie error - how many more times are developers going to make this same schoolboy error.
Click to expand...
I'm trying not to generalise here but I cannot think of any scenario where "the breached company" would not be at fault.

Even in this case where customer data was passed from Pick 'n Pay to Dawn Wing, the responsibility for ensuring that customer data is properly secured by Dawn Wing, is still the responsibility of Pick 'n Pay, it is also Dawn Wing's responsibility, but Pick 'n Pay's own QA people dropped the ball by not checking Dawn Wing's data security.

As for it being a rookie error, that tells me that there was zero QA involvement from either company, otherwise rookie mistakes would have been detected and rectified.

MyBB needs to follow up on this with the regulator to see if either company has bothered to report their lack of security.

Corelli said:
Dawn wing is honestly the worst courier company I have ever come across. Just having a look at their google maps review, will tell you what most think of them.

I too had a package delivered by them, after a few attempts. Pathetic. They send a miss call, and if you dont call them back, you can forget about your package. Their customer services is non-existant.

I can honestly say, I was laughing when I saw this.
Click to expand...
I have experienced this with both Dawn Wing and Fastway (multiple incidents with both in the last few weeks, not even Black Friday), I honestly cannot say which is worse, they are both terrible, although arguably still better than SAPO (so there is that in their favour).
 
It should be seriously policed. Its like me lending you my car and then you lend it to someone else who leaves it on the street where it gets stolen.
 
mpdjhb said:
Not just SA - all over the world. It is a serious issue, and in many cases not the fault of the breached company. Blaming the company in some cases would be like blaming the bank for an armed robbery or cash in transit heist.
Click to expand...

But those cars are armored against intrusion. An attempt is made to keep criminals out.
These guys made no attempt.
 
_TrXtR_ said:
But those cars are armored against intrusion. An attempt is made to keep criminals out.
These guys made no attempt.
Click to expand...
Which is exactly what I said - in this case it was a rookie error.
 
The concerning thing about this, is not that it was hacked or anything like that, but simply that the developer didn't bother adding the wrapper to ensure it's only accessible by X-logged-in-person.

From what I understand an internal view and it's sub-views was left unprotected and accessible by anyone with the direct link.

Which can only be due to the following scenarios:

1) Company not spending enough to get proper devs.
2) Perhaps company wasn't clear that they wanted it protected - for all we know dev was instructed by Pete from Operations (who don't know anything about Tech) insisted he doesn't want to use a Password everytime and Dev didn't have time / knowledge to write proper passwordless login (eg Email -> send login to email -> expire in an hour)
3) Simple code error from the Dev.
4) Merged a development branch with the Master branch before it was reviewed.

Probably more reasons but these are the most likely ones imo.
 
Last edited:
  • Like
Reactions: Yuu
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X